Hi,
We are implementing a SMART on FHIR Provider application (Authorization Code flow, R4).
The launch and token exchange flow is now completing successfully in the Code Console Test Sandbox environment (public sandbox tenant ec2458f2-1e24-41c8-b71b-0e701af7583d).
Workflow
- Launch from Code Console “Test Sandbox”
- Authorization completes successfully
- Token exchange succeeds
- We receive:
- access_token
- patient context
- scope
However, the granted scope is:
fhirUser launch openid
Even though our authorization request includes:
launch openid fhirUser patient/*.read
The patient/*.read scope is not returned in the token.
When we attempt to call:
GET {fhir_base}/Patient/{patient_id}
We receive:
403 Forbidden
{
"code":403,
"message":"code=\"urn:cerner:error:oauth2:resource-access:insufficient-scopes\",
error=\"insufficient_scope\",
subcode=\"no_scope_for_resource_path\""
}
Configuration
- App type: Provider
- Standard Capabilities: Patient Read is enabled in Code Console
- Testing via: Code Console Test Sandbox
- Region: Public Sandbox (Production region)
Questions
- Is
patient/*.read scope restricted in the public sandbox for provider apps?
- Does additional provisioning need to be completed for patient-level scopes in the public sandbox?
- Is there a specific configuration required to ensure patient read scopes are granted during SMART launch?
Expected Result:
Access token should include patient/*.read and allow FHIR Patient resource access.
Actual Result:
Token does not include patient/*.read and FHIR call returns 403 insufficient_scope.
Thank you.